70-412: Configuring Advanced Windows Server 2012 servicesChapter 4Configuring Network Services1Objective 4.1: Implementing an Advanced Dynamic Host Configuration Protocol (DHCP) Solution2Dynamic Host Configuration Protocol (DHCP)The Dynamic Host Configuration Protocol (DHCP) is a network protocol that automatically configures the IP configuration of a device including assigning an IP address, subnet mask, default gateway, and primary and secondary Domain Name System (DNS) servers. Most clients and some servers that connect to a network receive their address from a DHCP server including home routers/modems and office networks. In addition, the DHCP technology and protocol has become a necessary component of Windows Deployment Services (WDS) and Network Access Protection (NAP). 2013 John Wiley & Sons, Inc.33DHCP OptionsDHCP options are not required for use by DHCP. Organizations should automatically configure these options so that they do not have to be manually configured:Option 3 RouterOption 6 DNS serversOption 15 Domain nameOption 44 WINS/NBNS serversOption 46 WINS/NBT node type 2013 John Wiley & Sons, Inc.4DHCP and DNSBy default, the DHCP server dynamically updates the DNS address host (A) resource records and pointer (PTR) resource records only if requested by the DHCP clients. By default, the client requests that the DHCP server register the DNS PTR resource record, while the client registers its own DNS A resource record. The DHCP server discards the A and PTR resource records when the clients lease is deleted. To change how DHCP registers and deletes DNS A and PTR resource records, configure it by right-clicking the IPv4 node or scope, clicking Properties, and clicking the DNS tab.
2013 John Wiley & Sons, Inc.5ReservationsDHCP client reservations allow administrators to reserve an IP address for permanent use by a DHCP client. By using reservations, you can ensure that the host will always have the same IP address. As with any other lease, when a client receives a reserved address, the client also receives all assigned options such as addresses of the default gateway and DNS servers. If these options are changed, they will automatically be updated on the client when the lease is renewed. 2013 John Wiley & Sons, Inc.6DHCP Server AuthorizationA rogue DHCP server: Is a DHCP server on a network that is not under the organizations administrative control. Can be used to interrupt network access, bypass network security, and capture private information using a man-in-the-middle attack. To protect a network from rogue DHCP servers, if the DHCP server is part of an Active Directory domain, you must authorize the DHCP server before it can hand out IP addresses. You must be an Enterprise Admins to authorize the DHCP server. If the server is a stand-alone server, Windows will verify whether it is a DHCP server on the network, and it will not start the DHCP service if there is one.
2013 John Wiley & Sons, Inc.7DHCP PoliciesStarting with Windows Server 2012, by using DHCP policies, you can give granular control over scopes, which allows you to assign different IP addresses or different options based on the device type or its role. Policies are applicable for a specific scope with a defined processing order. Options can be configured at the scope or inherited from server-wide policies. 2013 John Wiley & Sons, Inc.8SuperscopesA superscope groups multiple scopes into a single administrative entity. By using superscopes, you can support larger subnets.A superscope can be used if a scope runs out of addresses and you cannot add more addresses from the subnet.Before creating a superscope:Add a new subnet to the DHCP server. Perform multi-netting, where you lease addresses to clients in the same physical network, but the clients will be in a separate network logically by subnet. Configure routers to recognize the new subnet so that you ensure local communications in the physical network.
2013 John Wiley & Sons, Inc.9SuperscopesYou can only create a superscope if you have two or more IP scopes already created in DHCP. You can use the New Superscope Wizard to select the scopes that you want to combine together to create a superscope.
2013 John Wiley & Sons, Inc.10Multicast ScopesClass D addressesdefined from 22.214.171.124 to 126.96.36.199are used for multicast addresses. In DHCP, multicast scopes, commonly known as Multicast Address Dynamic Client Allocation Protocol (MADCAP) scopes, allow applications to reserve a multicast IP address for data and content delivery. Applications that use multicasting request addresses from the scopes needed to support the MADCAP application programming interface (API).
2013 John Wiley & Sons, Inc.11Multicast ScopesCreating and managing a multicast scope is similar to creating and managing a normal scope.Multicast scopes cannot use reservations and you cannot set additional options such as DNS and routing. Because multicast is shared by groups of computers, the default duration of a multicast scope is 30 days.
2013 John Wiley & Sons, Inc.12DHCPv6 AddressesIPv6 addresses utilize a 128-bit address space to provide addressing for every device on the Internet with a globally unique address. Because IPv6 addresses use 128 bits, the addresses are usually divided into groups of 16 bits, written as 4 hex digits. Hex digits include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. Colons separate the groups. This is an example of an IPv6 address:FE80:0000:0000:0000:02C3:B2DF:FEA5:E4F1
2013 John Wiley & Sons, Inc.13DHCPv6 AddressesThe first 64 bits of an IPv6 address define the network address, and the second 64 bits define the host address. In the previous example address, FE80:0000:0000:0000 defines the network bits and 02C3:B2DF:FEA5:E4F1 defines the host bits. The network bits are also further divided where 48 bits are used for the network prefix and the next 16 bits are used for subnetting. The remaining host bits are 64 bits. 2013 John Wiley & Sons, Inc.14IPv6 AddressingIPv6 host addresses can be configured with stateful or stateless mode. Because the two address configuration modes are independent of each other and will not trample over each other, a host can use both stateless and stateful address configuration.
2013 John Wiley & Sons, Inc.15Stateless MechanismStateless mechanism is used to configure both link-local addresses and additional non-link-local addresses based on Router Solicitation and Router Advertisement messages with neighboring routers. With stateless autoconfiguration, the MAC address is used to generate the host bits. When using stateless configuration, the address is not assigned by a DHCP server. However, a DHCP server can still assign other IPv6 configuration settings.Stateful configuration has IPv6 addresses and additional IPv6 configuration assigned by a DHCPv6 server.
2013 John Wiley & Sons, Inc.16High Availability for DHCPTo make DHCP highly available, you can use one of the following methods:Split scopesServer clusterDHCP failoverStandby server 2013 John Wiley & Sons, Inc.17Configuring Split ScopesFor years, if you wanted high availability, you would use a split-scope configuration:Also known as 80/20 configuration Uses two DHCP servers with the same scopes and options However, the scopes have complementary exclusion ranges, so there is no overlap in the addresses that they lease to clients. You do not want the two servers to hand out the same address to different clients. 2013 John Wiley & Sons, Inc.1880/20 Split 2013 John Wiley & Sons, Inc.19
DHCP FailoverDHCP failover supports two modes:Load Sharing: Both servers simultaneously supply IP configuration to clients. By default, the load is distributed evenly, 50:50. However, you can adjust the ratio if you prefer one server over another. Load Sharing is the default mode.Hot Standby: One server is the primary server that actively assigns IP configuration for the scope or subnet, and the other is the secondary server that assumes the DHCP role if the primary server becomes unavailable. Hot Standby mode is best suited when the disaster recovery site is located at a different location. 2013 John Wiley & Sons, Inc.20DHCP Name ProtectionIf an organization uses only Windows systems that are part of an Active Directory domain, each computer will have its own unique computer name, which DHCP registers in DNS on behalf of the client. Name squatting is when a non-Windows-based computer registers a name in DNS that is already registered to a Windows-based computer. To prevent conflicts when non-Microsoft systems overwrite systems that use static addresses, Windows Server 2012 introduced DHCP Name Protection.
2013 John Wiley & Sons, Inc.21Objective 4.2: Implementing an Advanced DNS Solution22Security for DNSWindows Server 2012 adds a number of new features to domain name system (DNS) security. Securing the DNS server and DNS records prevents false records from being added and prevents clients from receiving incorrect DNS query responses, which can lead them to visit phishing sites or worse. To prevent DNS being used to attack systems, implement DNS Security (DNSSEC), Cache Locking, and other security measures.
2013 John Wiley & Sons, Inc.2323DNS Security (DNSSEC)A client that uses DNS to connect is always vulnerable to redirection to an attacker's servers unless the zone has been secured using DNSSEC. The process for securing a zone using DNSSEC is called signing the zone. Once signed, any queries on the signed zone will return digital signatures along with the normal DNS resource records. The digital signatures are verified using the public key of the server or zone from the trust anchor. DNSSEC uses trust anchors represented by public keys that define the top of a chain of trust. The trust anchor verifies that a digital signature and its associated data is valid.
2013 John Wiley & Sons, Inc.24DNS Security (DNSSEC)DNS Security (DNSSEC) is a suite of protocols defined by the Internet Engineering Task Force (IETF) for use on IP networks. DNSSEC provides DNS clients, or resolvers, with proof of identity of DNS records and verified denial of existence. DNSSEC does not provide availability or confidentiality information.
2013 John Wiley & Sons, Inc.25DNS Cache LockingDNS cache locking prevents an attacker from replacing records in the resolver cache while the Time to Live (TTL) is still in force. When cache locking is enabled, records cannot be overwritten. 2013 John Wiley & Sons, Inc.26DNS Debug LoggingDNS logging is a troubleshooting tool that allows for detailed, file-based analysis of all DNS packets and messages. Event Viewer is an essential tool in the successful management and troubleshooting of a DNS server. Windows Server 2012 provides a specific DNS server application log. Dns.log contains the debug logging activity. By default, this is located in the %SYSTEMROOT%\System32\Dns folder
2013 John Wiley & Sons, Inc.27DNS Delegated AdministrationDNS is a key service within your network. Administration of the service should be restricted to those who really need it. The principle of least privilege should always apply to DNS administration.
2013 John Wiley & Sons, Inc.28DNS RecursionRecursion in DNS is the process by which a client makes a query to a DNS server for an IP address associated with a Fully Qualified Domain Name (FQDN). The server then establishes that IP address through one or many separate queries to other servers and returns the address to the querying client. If the DNS server is configured for recursion, the server makes a recursive query to other DNS servers (usually through root hints on the Internet) and eventually provides the authoritative answer to the querying client.
2013 John Wiley & Sons, Inc.29Netmask OrderingNetmask ordering prioritizes DNS responses based on the subnet of the requesting client. If several A records exist for a single name, then the one that exists in the requesting clients subnet is returned.Netmask ordering is enabled by default in Windows Server 2012. It is also possible to change the subnet mask used to define the subnets. The default is a Class C network.
2013 John Wiley & Sons, Inc.30GlobalNames ZoneWindows Server 2012 DNS provides support for single-label names without the need for NETBIOS or WINS. This allows a large multi-DNS environment to support a single name, such as address book, rather than an FQDN, such as addressbook.adatum.com.In an environment where there are several DNS suffixes such as contoso.com adatum.com and fabrikam.net, it is necessary to manually create a GlobalNames zone within DNS to allow a single-label name to be resolved. 2013 John Wiley & Sons, Inc.31Objective 4.3: Deploying and Managing IPAM32IP Address Management (IPAM)IP Address Management (IPAM) is a new feature in Windows Server 2012. IPAM provides an administrator with the ability to plan, manage, track, and audit the use of all IP addresses and the DNS services within the network.
2013 John Wiley & Sons, Inc.3333IP Address Management (IPAM)Planning, management, tracking, and auditing of IP addresses have been a thorn in every network administrators side for many years. The only methods of managing IP addresses prior to Windows Server 2012 was by the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) management consoles, third-party databases or applications, spreadsheets, or in some cases even scraps of paper with details of every network node recorded. IPAM provides a single point of administration for all DNS and IP management features within an Active Directory Forest. 2013 John Wiley & Sons, Inc.34IPAM ComponentsThere are two main IPAM components: IPAM server: Collects data from the managed DNS and DHCP servers within the discovery scope. The IPAM server also manages the Windows Internal Database. IPAM client: Provides the interface with which the IPAM administrator manages and configures the server. 2013 John Wiley & Sons, Inc.35The starting point for the configuration of IP address blocks and IP address ranges is the main IPAM screen, which is reached through Server Manager. 2013 John Wiley & Sons, Inc.36IP Blocks and RangesUtilization of IP Address SpaceThe IPAM Server console provides a dedicated Monitor and Manage section, which includes four categories:DNS and DHCP ServersDHCP ScopesDNS Zone MonitoringServer GroupsThe DHCP Scopes category provides a detailed breakdown of the level of utilization of all dynamic IP addresses.
2013 John Wiley & Sons, Inc.37IPAM CollectionsAn IPAM collection refers to the scheduled IPAM server tasks created at the installation of the IPAM feature. The collection of IP address space data, event log data, and DNS data is critical to a successful IPAM implementation.
2013 John Wiley & Sons, Inc.38